diff options
| author | Jose <jose@zeroc.com> | 2014-10-21 20:16:27 +0200 |
|---|---|---|
| committer | Jose <jose@zeroc.com> | 2014-10-21 20:16:27 +0200 |
| commit | 1eb1b665e9c3ef8c2f7b9b06352d634b1f9d0e74 (patch) | |
| tree | bc554207011272cc7d23eb2211ab74fb4363e045 /cpp/src/IceSSL/SChannelEngine.cpp | |
| parent | Added ability to build just java tests against ice installation (diff) | |
| download | ice-1eb1b665e9c3ef8c2f7b9b06352d634b1f9d0e74.tar.bz2 ice-1eb1b665e9c3ef8c2f7b9b06352d634b1f9d0e74.tar.xz ice-1eb1b665e9c3ef8c2f7b9b06352d634b1f9d0e74.zip | |
Fixed (ICE-5758) - Disable SSLv3 by default
Diffstat (limited to 'cpp/src/IceSSL/SChannelEngine.cpp')
| -rw-r--r-- | cpp/src/IceSSL/SChannelEngine.cpp | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/cpp/src/IceSSL/SChannelEngine.cpp b/cpp/src/IceSSL/SChannelEngine.cpp index 595a85aa220..bef93424650 100644 --- a/cpp/src/IceSSL/SChannelEngine.cpp +++ b/cpp/src/IceSSL/SChannelEngine.cpp @@ -93,31 +93,31 @@ parseProtocols(const StringSeq& protocols) for(Ice::StringSeq::const_iterator p = protocols.begin(); p != protocols.end(); ++p) { - string prot = *p; + string prot = IceUtilInternal::toUpper(*p); - if(prot == "ssl3" || prot == "sslv3") + if(prot == "SSL3" || prot == "SSLV3") { v |= SP_PROT_SSL3_SERVER; v |= SP_PROT_SSL3_CLIENT; } - else if(prot == "tls" || prot == "tls1" || prot == "tlsv1" || prot == "tls1_0" || prot == "tlsv1_0") + else if(prot == "TLS" || prot == "TLS1" || prot == "TLSV1" || prot == "TLS1_0" || prot == "TLSV1_0") { v |= SP_PROT_TLS1_SERVER; v |= SP_PROT_TLS1_CLIENT; } - else if(prot == "tls1_1" || prot == "tlsv1_1") + else if(prot == "TLS1_1" || prot == "TLSV1_1") { v |= SP_PROT_TLS1_1_SERVER; v |= SP_PROT_TLS1_1_CLIENT; } - else if(prot == "tls1_2" || prot == "tlsv1_2") + else if(prot == "TLS1_2" || prot == "TLSV1_2") { v |= SP_PROT_TLS1_2_SERVER; v |= SP_PROT_TLS1_2_CLIENT; } else { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unrecognized protocol `" + prot + "'"); + throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unrecognized protocol `" + *p + "'"); } } @@ -182,9 +182,15 @@ SChannelEngine::initialize() const PropertiesPtr properties = communicator()->getProperties(); // - // Protocols selects which protocols to enable. + // Protocols selects which protocols to enable, by default we only enable TLS1.0 + // TLS1.1 and TLS1.2 to avoid security issues with SSLv3 // - const_cast<DWORD&>(_protocols) = parseProtocols(properties->getPropertyAsList(prefix + "Protocols")); + vector<string> defaultProtocols; + defaultProtocols.push_back("tls1_0"); + defaultProtocols.push_back("tls1_1"); + defaultProtocols.push_back("tls1_2"); + const_cast<DWORD&>(_protocols) = + parseProtocols(properties->getPropertyAsListWithDefault(prefix + "Protocols", defaultProtocols)); // // Check for a default directory. We look in this directory for |